Announcing Cryostat 2.0: JDK Flight Recorder for containers

Cryostat is a container-native JVM application that provides a secure API for profiling and monitoring containers with JDK Flight Recorder (JFR). JDK Flight Recorder collects profiling and diagnostic data from applications using JFR events stored in binary flight recordings. When requested, Cryostat can retrieve, store, and analyze flight recordings from containerized Java virtual machines (JVMs) to assess overall application health. Users can download recording files and upload them to JDK Mission Control (JMC) or Grafana for further analysis.

This article introduces Cryostat and shares new features in the 2.0 release, including example use cases, tips for getting started, and additional release notes. For more information about Cryostat fundamentals, visit Introduction to Cryostat: JDK Flight Recorder for containers.

Read the series

Read all of the articles in this series of hands-on guides to using Cryostat 2.0:

• Part 1: Get started with Cryostat 2.0
• Part 2: Configuring Java applications to use Cryostat
• Part 3: Java monitoring for custom targets with Cryostat
• Part 4: Automating JDK Flight Recorder in containers
• Part 5: Creating Custom JFR event templates with Cryostat 2.0

Note: The Red Hat build of Cryostat 2.0 is now widely available in technology preview. The Red Hat build includes the Cryostat Operator to simplify and automate Cryostat deployment on OpenShift.

Using Cryostat with JDK Flight Recorder

Cryostat is compatible with JVMs that (1) can accept incoming JMX connections, and (2) include JDK Flight Recorder. This includes OpenJDK and most downstream builds or distributions of OpenJDK, such as Red Hat OpenJDK and Adoptium OpenJDK.

The JDK Mission Control desktop-only application requires users to retrieve flight recordings on a local disk. When bare-metal JDK Flight Recorder writes recordings to the local file system inside a container, those recordings are lost when the container restarts. A complicated and likely insecure workaround would involve establishing a direct connection between a desktop workstation and the containerized JVMs in the cloud over Java Management Extensions (JMX).

Cryostat securely retrieves and stores flight recordings from containerized JVMs, so users can access these recordings over HTTP/HTTPS. Cryostat’s low overhead during both profiling and continuous monitoring allows users to monitor application performance in production. Users can start recordings with built-in or custom event templates in multiple JVMs at once.

Use cases for Cryostat 2.0

Example use cases for Cryostat 2.0 include automated rules, batch retrieval of JDK Flight Recorder data, and custom target definitions and support for non-RMI JMX connectors. We'll write more about each of these use cases in future articles.

Highlights of the 2.0 release

We've added the following major new features in Cryostat 2.0:

• Cryostat Operator: Cryostat is now offered as an OpenShift Operator, also in tech preview, available from the OperatorHub on OpenShift 4.6 and higher. The Cryostat Operator eases configuration and deployment of Cryostat into your OpenShift namespaces and provides an OpenShift custom resource interface to the Cryostat API, enabling you to build more integrations with other OpenShift Operators and services in more flexible ways.
• Automated rules: A common use case for Cryostat is to enable continuous monitoring, or other JFR event templates, to all or some subset of JVMs in the target application. Automated rule definitions allow users to specify what kinds of JVMs should be triggered on—using criteria like port number, OpenShift annotations, OpenShift labels, or JVM alias—along with what kind of JDK Flight Recorder events should be recorded, and how often the JFR data should be copied from each target into the Cryostat archive.
• Batch operations: Another common use case for Cryostat is to retrieve all JFR data from a set of target JVMs when some external event occurs. In Cryostat 1.0, a client would need to observe the external event and then fire N HTTP requests to Cryostat to retrieve JFR data from each of the N target applications. In Cryostat 2.0, a shorthand allows clients to fire one HTTP request and prompt Cryostat to retrieve data from a set of targets into the Cryostat archives. The client can then download the JFR data from Cryostat as needed.
• Custom targets: Users can now create target definitions manually, rather than relying upon Cryostat's platform-tailored JVM discovery mechanisms.

Keep an eye out for upcoming articles highlighting and demonstrating these features.

How to get started with Cryostat 2.0

Install the Cryostat Operator to deploy Cryostat on OpenShift or another Kubernetes cluster. Check out the following links for installation and usage instructions:

• The recommended installation guide at cryostat.io.
• Our guide to manual Cryostat installation and setup for testing and demonstration purposes.
• Get started with the Cryostat web UI at cryostat.io.
• The Cryostat API usage guide: HTTP_API.md.
• The Cryostat README.

Additional 2.0 features

There are a few other minor new features in Cryostat 2.0:

• Client-defined connection protocols: Allow Cryostat to communicate with target JVMs using different JMX protocol implementations (see pull request #482 for details).
• POST /api/v2/certificates: Upload an SSL certificate to trust when connecting to target JVMs.
• GET /api: List all API operations.
• Push notifications for Cryostat operations.

Breaking changes since Cryostat 1.0

The Cryostat 2.0 release brings some breaking changes since version 1.0. We felt these changes were necessary as Cryostat matures into a full-fledged product that can best serve our users’ diverse needs.

Removal of the interactive command channel

The interactive command channel has been replaced with a one-way WebSocket notifications channel. Cryostat was initially implemented as an interactive-mode utility with user actions limited to a set of pre-defined commands. This functionality was later extended to allow remote network access using WebSocket, resulting in the command channel. However, now that all of the command channel functionality has been ported over to the HTTP API, the channel has been adapted to instead provide one-way notifications to any targets connected to the Cryostat instance.

Removal of event specifier strings

Previously, users were able to specify JDK Flight Recorder events to be monitored during a recording using event specifier string syntax (such as jdk.SomeEvent:optionName=value;jdk.AnotherEvent:secondOption=value2;...). Now, you can specify events during recording creation by providing the JDK Flight Recorder event template name. Users can pick from a variety of standard templates or upload their own custom templates to Cryostat. Because they consist of XML, templates are easier to create, edit, validate, and share, and are also interoperable, as they are the standard JDK format.

Conclusion

The tech preview release of Cryostat 2.0 lets you monitor containerized JVMs on an OpenShift or Kubernetes cluster. Furthermore, you can create, manage, and download JDK Flight Recorder recordings for analysis in JDK Mission Control or Grafana. To learn more about Cryostat 2.0, visit the Cryostat homepage, cryostat.io, and feel free to join our mailing list to connect to the upstream community.